Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Microsoft SharePoint ToolShell actively exploited zero-day (CVE-2025-53770)

Vulnerability
First reported
Last updated
Happening score
H score 50
1 unique sources, 1 articles

Summary

Hide ▲

CVE-2025-53770 ToolShell is an actively exploited zero-day in Microsoft SharePoint on-premise servers, exposing systems to remote unauthenticated code execution and full file-system access. Microsoft issued emergency updates on July 21, 2025 after the flaw was abused in attacks. The vulnerability has been used against government, university, telecom, and finance targets, making the risk immediate for exposed deployments.

Related Happenings

Microsoft hit by cyberattack

Incident
H score68 First: 09.06.2026 18:42 Last: 09.06.2026 18:42 Sources 1

About this happening: A **Microsoft** GitHub repository removal incident in **June 2026** disrupted **continuous integration pipelines** and briefly broke **Azure/functions-action** workflows used by d...

Open Happening

Microsoft CVD response for Windows Defender and BitLocker

Advisory/Mitigation
H score47 First: 28.05.2026 16:53 Last: 28.05.2026 16:53 Sources 1

About this happening: **Microsoft** is urging **Coordinated Vulnerability Disclosure (CVD)** and says it is developing **security updates** for **Windows components including Defender and BitLocker** a...

Open Happening

Windows BitLocker YellowKey mitigation guidance (CVE-2026-45585)

Advisory/Mitigation
H score46 First: 20.05.2026 10:31 Last: 20.05.2026 10:31 Sources 1

About this happening: **Windows BitLocker** **YellowKey** (**CVE-2026-45585**) moved from interim mitigation to patch status after **Microsoft** fixed it in **June 2026 Patch Tuesday**. The **Windows R...

Latest development: 10.06.2026 12:57

On Tuesday, Microsoft fixed YellowKey (CVE-2026-45585) as part of its June 2026 Patch Tuesday updates and shared mitigation measures for the Windows Recovery Environment backdoor. The flaw affects unpatched Windows 11 and Windows Server 2022/2025 systems and can let attackers with physical access bypass BitLocker protection on targeted devices.

Open Happening

Rising critical Microsoft vulnerabilities across Windows, Azure, Dynamics 365, and Office

Trend
H score19 First: 19.05.2026 17:00 Last: 19.05.2026 17:00 Sources 1

About this happening: Microsoft’s vulnerability volume stayed broadly stable, but **critical flaws** doubled year over year across **Windows, Azure, Dynamics 365, and Office**, increasing the likelihoo...

Open Happening

Rwl.angular-console (Nx Console) hit by network compromise

Incident
H score41 First: 19.05.2026 10:49 Last: 19.05.2026 10:49 Sources 1

About this happening: The **Nx Console** extension **rwl.angular-console 18.95.0** was compromised on the **VS Code Marketplace**, exposing **developers** to a **credential-stealing** payload and suppl...

Open Happening

Timeline

  1. 22.10.2025 13:24 1 articles · 7mo ago

    ToolShell active exploitation disclosed for SharePoint servers

    Initial Disclosure

    CVE-2025-53770 was disclosed as an actively exploited zero-day affecting on-premise Microsoft SharePoint servers, with attacks already targeting government agencies, universities, telecommunication service providers, and finance organizations.

    Show sources
    Open in new tab
  2. 22.10.2025 13:24 1 articles · 7mo ago

    Microsoft issues emergency SharePoint updates for ToolShell

    Mitigation Patch Update

    Microsoft released emergency updates for CVE-2025-53770 on July 21 after the SharePoint zero-day was disclosed the previous day, providing a patch path for exposed on-premise servers.

    Show sources
    Open in new tab
  3. 22.10.2025 13:24 1 articles · 7mo ago

    ToolShell intrusion on a Middle East telecommunications provider

    Technical Analysis Update

    On July 21, CVE-2025-53770 exploitation against a telecommunications service provider in the Middle East planted webshells for persistent access, then used DLL side-loading with legitimate Trend Micro and BitDefender executables to launch Zingdoor, a suspected ShadowPad Trojan, KrustyLoader, Sliver, ProcDump, Minidump, LsassDumper, PetitPotam (CVE-2021-36942), Certutil, GoGo Scanner, and Revsocks.

    Show sources
    Open in new tab
  4. 22.10.2025 13:24 2 articles · 7mo ago

    Broader ToolShell campaign spans four regions

    Campaign Scope Update

    Assessment of ToolShell activity links compromises in the Middle East, South America, the U.S., and Africa to government, university, telecom, and finance targets, with malware typically associated with Salt Typhoon and evidence that the vulnerability was used by a larger set of Chinese threat actors than previously known.

    Show sources
    Open in new tab